Hello guys! Sorry if already asked on the list, but i cant find a similar issue.(Maybe i have to improve my find skills)
We are developing a PKCS#11 library for our smartcard, actually working great on win, Linux and osx. (No, its not based on OpenSC, although IMHO it should) Yesterday we started working on the en/decryption of emails on Thunderbird. As emails are encrypted with the public cert of destination address Thunderbird does all encryption, and messages arrive OK. We have installed a cert on Thunderbird/nss and they also are decrypted. The problem, hence the mail, comes when the private key is on our smartcard, not on the Thunderbird. We will like to know how can we solve it, if possible, or if its a bug...whatever. Our PKCS#11 library has the following mechanisms: -CKM_RSA_PKCS (1024). This mechanisms has flags CKF_SIGN | CKF_DECRYPT -CKF_GENERATE_KEY_PAIR with CKM_RSA_PKCS_KEY_PAIR_GEN flag AFAIK, emails are encrypted with a symmetric key, which is then encrypted with the destination public key. This way, only destination private key can decrypt the symmetric key which was used to crypt the mail. So, we expect Thunderbird request a C_Decrypt using my private key and give some bytes (encrypted symmetric key), and with the returned unencrypted key, decrypt the mail. Easy, isn't it? After requesting for the pin, Thunderbird calls C_DecryptInit with mechanism CKM_RSA_PKCS and my private key handle. That seems OK. Then, it invokes C_Decrypt with some bytes (Always the same for the same mail...128 length), and we try the following: RSA_private_decrypt(ulEncryptedDataLen, pEncryptedData, pData, keyRSA, RSA_PKCS1_PADDING) where keyRSA its generated with:RSA_new() and d2i_RSAPrivateKey(...) (have checked and the private key its correct.Even more, we can sign with it without issues.) That code returns the same bytes always (128 length), but Thunderbird always says "Thunderbird cant decrypt the message". Why this happens? Must we code C_UnWrapKey function and so to Decrypt, cause Thunderbird doesnt like our PKCS#11 just does CKM_RSA_PKCS? Are we missing a flag? Are we doing something wrong? Thank you all for any help you could provide. And btw...one more time (and hope last): I have 2 accounts for dev-tech-crypto discussions: dev-tech-crypto@lists.mozilla.org and mozilla-dev-tech-cry...@lists.mozilla.org which one is the correct one? what is each one for? should i stop using/delete one? are the same with 2 names for backward compatibility? Thanks a lot for your help. Much appreciated (Sended twice, first time without subject :S) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
